• Home
  • Insights
  • Passkey: The answer to the challenges of phishing attacks

Passkey: The answer to the challenges of phishing attacks

Immerse yourself in the era of modern authentication with passkeys: Find out how passkeys can revolutionize the online world and explore the technical background of this innovative security method. Bye bye passwords, bye bye phishing. Hello new and original login via passkey! Simple, fast and safe.

In the year 2012 was the FIDO Alliance founded. Your goal: Design a license-free new standard for identity verification on the web (FIDO = Fast IDentity Online). The American organization includes many “big players” in the tech industry, including Google, Microsoft, Apple, Samsung, Alibaba and Amazon. The institution has developed an innovative technology that we would like to take a closer look at in this article: identity verification using passkeys. The goal of FIDO: Fast online identification. Passwords should be abolished and logins should be made more convenient, but at the same time more secure. But how is that supposed to work?!

The importance of passkeys

In a present Study by 1Password Every (!) respondent stated that they had already come into direct or indirect contact with phishing. It is no surprise that the majority of participants consider a secure login method for their online accounts to be extremely relevant. Two-factor authentication (2FA) sounds like a good option in theory, but it has one major disadvantage: it's incredibly easy to lock yourself out of your own accounts. Not to mention the temporary effort. The 2FA login is by no means easy or “smooth”. Of course, hackers are also becoming smarter: in recent years, cyber criminals have already found methods to intercept SMS and thus obtain the second factor for authentication. A login would only be truly protected if there were no access data that could be spied on. And this is exactly where passkeys come onto the radar!

Passkeys, also known as security keys or authentication keys, are increasingly becoming an essential link in modern security infrastructures. Unlike regular passwords, they add an additional layer of security by incorporating a physical component into identity verification. The idea behind Passkeys is that the user has access to all of their own online accounts on the Internet without having to log in with a login name and password every time. The declared goal of the so-called passkey technology is to avoid access data that could be spied on. They were created to provide passwordless registration for homepages and apps and to make the user experience easier and phishing-proof.

But how does that work? So, when creating a profile on an online service that supports passkeys, two keys are created that are mathematically linked to each other:

  1. A public key - this is shared with the service, say a website or an application, and is used to encode information that only the private key can decrypt.
  2. A private, asymmetric crypto key – this is an extremely long, completely randomly generated sequence of characters. This private key is only stored on the user's device. On all linked devices, for example laptops or smartphones, a user name or access word is no longer required via passkey login.

In order to use passkeys, two things are technically necessary: ​​The device must support the “Client to Authenticator Protocol” (CTAP2) in order to be able to communicate securely with the web browser. The online service you want to log into must also support the “WebAuthentication standard API” (WebAuthn). This is an interface that is necessary in order to be able to authenticate yourself using the key principle that passkeys use.

Since passkeys are therefore stored on the respective end devices, a crucial question immediately arises: How can the devices be protected from unauthorized access? Because in this case the door would be wide open for a hacker the moment he gets his hands on someone else's device. But fortunately there are already solutions for this: Because the new modern models of end devices - whether laptops, smartphones or even smart TVs - offer device and app unlocking via biometric scans. The most well-known are fingerprint scanning and Face ID. In this way, the mix of passkey and biometric data creates an extremely secure type of authentication.

Amazon, Google, Facebook & Co.: Who offers passkeys?

Using passkeys offers a whole range of benefits for users and companies. This includes increased security through the physical authentication component, an optimized user experience through seamless login and a reduction in the risk of phishing attacks and password theft. For this reason, some technology tours have already implemented passkeys - most recently the online marketplace Amazon with a lot of furor. And this will probably just be the start - experts assume that passkeys will become increasingly widespread on the market and be used as the norm.

What do you think: Is the future of authentication passwordless plus physical?

If you have any questions about 2FA or passkeys, please contact us.
We inform and support you on your way to becoming a protected company!

Your direct line to us

We look forward to your inquiry! Simply leave us a message and we will contact you immediately.

Share this article

Similar articles from our Insight Hub

Remote Maintenance

So that we can help you most easily via remote maintenance, please download it here Teamviewer program Download and contact our support. 

Our support team will then support you directly in setting up the tool.